Beyond burglar alarms

When many managers leave the office, they lock the doors, activate a security system and consider themselves safe. But the main culprit in business theft is not a stranger in a stocking cap. Unfortunately, companies are more likely to be ripped off by one of their employees.
“These offenders aren’t street thugs out there stealing purses,” says forensic accountant John Hughes of Audit Services of Virginia in Williamsburg. “These people are in positions of trust. This is like your spouse cheating on you.”

Plus, the stakes are higher with an inside job. Businesses lose an estimated 7 percent of their annual revenues to fraud, with a median loss per detected fraud of $175,000, according to the Association of Certified Fraud Examiners (ACFE). By contrast, “the average commercial burglary is $1,200,” Hughes says. “It amazes me the number, for example, of medical practices that spend so much more on a burglar alarm than on any sort of internal controls.”

As an increasing number of workers are laid off and those who remain cover multiple jobs, some risk analysts expect the problem to get worse. “Employees worried about losing their jobs are likely to get the mindset that they need to ‘get it while they can,’” says Angelina Rubenzer, a senior risk consultant with Charles Lunsford Sons & Associates in Roanoke.
Workers have been known to walk out the door with tenderloins, coats, toilet paper and, of course, company pens, experts say. “They rationalize it’s not really stealing — it’s just stuff,” says John McDaniel, executive vice president of Richmond-based Brown & Brown Insurance Agency of Virginia. “They don’t stop to think these things cost.”

Sometimes an insider works with someone on the outside. “There have been a number of cases in Virginia retail markets where the customer is a friend of the cashier,” Hughes says. “The customer goes through the line with a couple of pairs of socks and a suit. The cashier will ring up the socks, take the security tag off the suit and the customer goes on out. We’ve had that in Williamsburg.”

Small businesses vulnerable
Small businesses are especially vulnerable to business fraud and theft, the ACFE study found. “The small businesses can’t afford all the elaborate detection and prevention devices that a large business can,” Hughes says. “But a lot of times, small businesses don’t do the basic steps that they could [afford to] do because they think it’s cost prohibitive. But it isn’t.”
Some effective deterrents are amazingly low-tech — such as using clear trash bags instead of black ones. “There are restaurants in Virginia I’ve seen recently that have switched to translucent garbage liners,” Hughes says. “They’ve found that employees put products in the trash, take the bag to the Dumpster, then come out later to retrieve it. Or, in a department store, a cleaning person might take a coat out with the trash. The translucent bags act as a deterrent. If you put that tenderloin in a clear bag and carry it out, people can see you have something in the trash besides just trash.”

Meantime, more sophisticated thieves defraud employers by manipulating financial computer programs. “You can go into Quick Books and file an entry for $1,100 payable to Dominion Power,” Hughes says. “Then you can manually prepare the check and make it payable to yourself or to your credit card bill.”
In these cases, new vendors can be a cause for concern — those vendors may be fictitious companies created by the embezzling employee with payments ending up in the employee’s bank account. “Probably half the employee thefts I’ve witnessed over the last 30-odd years are [the result of creating] fictitious vendors and paying those vendors by company check,” Hughes says.
These losses can continue for years. The median time it takes for fraud to be uncovered is two years, according to a 2008 ACFE study. Tips from fellow employees, vendors and customers uncovered the most cases of business fraud, nearly half, according to the ACFE study.

Taking proprietary data
Employees also can appropriate competitive proprietary data and private financial information about clients and fellow employees — either on an ongoing basis or when they leave their jobs. Often these thefts are a violation of the Sarbanes-Oxley Act of 2002, intended to protect private client information and prevent fraud.
“It could be information about the company, the employees and/or their clients,” Rubenzer says. Employees or former employees could use this information for identity theft or to poach clients. “This theft may actually be more damaging, as it could have compounded losses for the company,” she says.

Cyber liability insurance is a relatively new product designed to protect businesses from these kinds of risks, says Tom Heim, senior vice president for risk financing at RCM&D in Glen Allen. “These policies protect a business if someone were to steal credit card information, Social Security information.”
The liability to a company for such a theft is huge. “You have to provide credit card monitoring, and that costs a couple of thousand dollars a year per individual,” Heim says.
The cost of cyber policies varies widely based on deductibles, limits, exposures and the risk management policies in place. A policy with a $10 million limit and a $500,000 deductible could run $50,000 a year, Heim says.
For any theft, one red flag to watch for is sudden evidence of an employee’s new wealth, such as a new car or fancy clothes. Another tip-off might be that hard-working employee who never takes a vacation. Instead of being a workaholic, he or she may be a thief covering up fraud, McDaniel says. “Requiring people in sensitive positions to take two weeks vacation a year is a good preventative,” McDaniel says. “You need to have enough time for wrong-doing to surface.”

Fidelity insurance
Fidelity/crime insurance policies protect businesses from loss of money, securities or inventory resulting from criminal acts such as employee theft, dishonesty, embezzlement and forgery. But not enough businesses are willing to take on the expense — until something happens, Hughes says. McDaniel recommends fidelity coverage for all of his business clients. Cost will vary based on limits, the size of the company and other factors, but most crime policies are relatively inexpensive, he says.
The insurance coverage, however, doesn’t make up for lost time investigating the fraud, prosecuting the employee and training a replacement worker.

Preventing fraud starts before a worker is hired. “One of the least expensive, least time consuming and very effective ways to prevent hiring a thief is to check references,” Rubenzer says.
Creating a culture of honesty helps, too, according to a 2002 study sponsored by the ACFE. Businesses develop that culture with education, ethics training and formal ethics policies for all employees from top management to receptionists and loading dock workers.

Once they’re hired, employees should be taught that seemingly minor actions add up, Rubenzer says. If each of 100 employees takes home one 25-cent company pen every week, that’s a loss of $100 a month.
Good relationships help. “When employees had a good outlook on their former employer, they were much less likely to take information when they left — 28 percent as opposed to 61 percent,” says Mike Spinney, spokesman for The Ponemon Institute, which has conducted studies on fraud and ethics.

Computer controls such as encryption and locks help ensure that private data remains private from misuse by employees as well as protected from outsiders, Spinney says.
The payoff to improved ethics and tighter controls can be significant. A study in Great Britain by the Institute of Business Ethics (IBE) found that companies with ethics codes outperformed those without such policies over a four-year period. “Not only is ethical behavior in business life the right thing to do in principle,” IBE Director Philippa Foster Back says in a statement, “we have shown it pays off in financial returns.”

If employees balk initially at ethics programs and controls, managers can share this message: “It’s not that I don’t trust you, but the more I make, the more you can make,” says Hughes of Audit Services of Virginia.